The PhishLabs Blog

How To Change Security Behaviors: Identity Management

Taking over an account is a huge win for threat actors, which can easily lead to malware infections, large-scale data theft, and even industrial espionage.

Unfortunately, many people simply don’t understand the risks associated with account compromise, or how their actions can endanger themselves and the organization.

But as always, traditional security awareness training programs do little to change this trend. So if you’re serious about reducing cyber risk for your organization, you’ll need to focus on changing security behaviors instead.

Owning Your Identity

When it comes to changing security behaviors, one shift in particular matters most: convincing employees to take responsibility for their own identities.

Until that happens, you’ll be stuck at the level of attempting to instill behaviors in employees which seemingly only benefit the organization. You may very well have some success… just not nearly as much as you’d enjoy if your employees were truly engaged in the process.

Unfortunately, getting there is far from easy. It requires significant effort and regular reinforcement over the medium to long term.

But here’s the good part. If you can convey the importance of ID management to your employees, the will take notice. Why? Because it doesn’t only affect their work lives, it affects their personal lives too.

Identity theft and account compromise have become extremely common, and most people are rightly worried it might happen to them. So when you’re constructing your training program, try to include content that employees can relate to from both a business and personal perspective.

Ownership Leads To Behavioral Change

Let’s be honest, most people choose terrible passwords. Organizations try very hard to prevent this, by requiring the use of special characters, disallowing commonly used passwords, and forcing employees to change their passwords regularly… but it happens anyway, and everybody knows it.

After all, you can lead a horse to water, but you can’t force him not to set all his passwords to the name of his favorite Game of Thrones character.

What you can do, however, is help your employees understand why they’re being asked to choose better passwords. If they understand the dangers posed by account compromise, password reuse attacks, and brute force attacks, they’ll be far more likely to take basic security hygiene practices seriously.

Of course, while ownership is an extremely valuable concept, you do still need to construct a program with powerful, relevant content. Here are some of the behaviors you’ll want to cover:

Setting secure passwords

Not writing passwords down

Locking devices when not in use

Keeping work and private accounts separate

Never allowing others to access their account

Passwords: The Key to Identity Management

For most people, strong passwords are synonymous with good ID management.

And that makes sense. If you have engaged employees with strong passwords, you’ll be well on your way to reducing cyber risk.

There’s just one problem.

Most people don’t have any idea what makes a good password. Even worse, when employers force them to choose passwords within specific character and content requirements, many people choose to write their passwords down and leave them lying around their workspace. Why? Because the needs of the organization and the needs of the individual aren’t in harmony.

From a security perspective, there are two main concerns where passwords are concerned:

Is the password easily guessed, e.g., by a threat actor who has researched their victim online

Will the password stand up to brute force attacks?

The concerns of an individual employee are quite different. They are, quite simply: “Will I be able to remember this password?”

But here’s the thing. If you know what you’re doing, it’s simple enough to reconcile the concerns of both the employee and the organization. All the have to do is teach them to create passwords that are both secure and memorable.

But can you see yourself remembering it reliably? Probably not. And even worse, it could be cracked by a medium sized botnet in under a week.

At the other end of the scale, what do you think of yayforstrongpasswords? Looks terrible, right? Well in fact, because of its length, the same mid-sized botnet would take around 2 billion years to crack it. Go the extra mile and include a special character or two, and you’ve got a highly memorable password that’s almost impossible to guess or crack.

Does that seem like something you should be teaching your users? If it doesn’t, maybe Edward Snowdencan change your mind.

Effecting Change

Strong, useful content is essential to any security training program, and will naturally encourage employees to take responsibility for their digital identities. But if you stick with the traditional approach to security awareness training — long, boring annual sessions — you simply won’t see the results you’re hoping for.

Instead of long, infrequent classroom sessions, train your employees in short, frequent bursts using online multimedia tools. This approach, which we like to call micro learning, provides employees with just what they need to know, when they need to know it, and nothing more.

For instance, what better time to teach employees about password security than the precise moment when they're asked to update their password?

Regular training sessions serve as a reminder of the importance of security behaviors in general, as well as the specific topic being covered in each session. In taking this approach, you’ll be ensuring your employees never have the chance to “forget” about your security agenda.

Ultimately, an employee who regularly thinks about security is far more likely to take it seriously in their day-to-day life.

You Get What You Reinforce

Even with a great system and powerful content, security behaviors don’t change overnight. And even once you have installed the behaviors you want, you still need to actively maintain your program if you hope to retain them.

You see, poor security behaviors are like microwave meals. They’re easy, convenient, and they seem to get the job done. But if you keep on using them day in, day out, over a long period of time, they will catch up to you.

So when you’re developing your program, remember that powerful training isn’t a one-shot solution. If you’re serious about reducing cyber risk, you’ll need to develop a program that can be maintained and improved over a period of years.